OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Issue 51: sp:RequireDerivedKeys is underspecified


This issue is forever more known as issue 51.


-----Original Message-----
From: Martin Gudgin 
Sent: Wednesday, March 29, 2006 1:43 AM
To: ws-sx@lists.oasis-open.org
Cc: Marc Goodner
Subject: NEW ISSUE: sp:RequireDerivedKeys is underspecified

PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL
THE ISSUE IS ASSIGNED A NUMBER.  
The issues coordinators will notify the list when that has occurred.

Protocol:  ws-sp 


WS-SecurityPolicy v1.2 Editors Draft 01 17 January 2006
http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/16289/ws
-securitypolicy-1.2-spec-ed-01-r03-diff.pdf


Artifact:  spec

Type:

design

Title:

sp:RequireDerivedKeys is underspecified.

Description:

Section 5.2 defines a [Derived Keys] property and Section 5.3 defines an
sp:RequireDerivedKeys assertion that populates that property. Although
WS-SecureConversation allows for two serialized forms of derived keys;
implicit and explicit, WS-SecurityPolicy does not provide a mechanism to
constrain derived keys to one or the other form.

Related issues:

None

Proposed Resolution:

1.	Add a paragraph after the first paragraph in section 5.2.1;

See the [Explicit Derived Keys] and [Implicit Derived Key] properties
below for information on how particular forms of derived keys are
specified.

2.	Add a section 5.2.2 as follows;

5.2.2 [Explicit Derived Keys] property

This boolean property specifies whether Explicit Derived Keys (ref to
WS-SecureConv Section 7) are allowed. If the value is 'true' then
Explicit Derived Keys MAY be used. If the value is 'false' then Explicit
Derived Keys MUST NOT be used.

3.	Add a section 5.2.3 as follows;

5.2.3 [Implicit Derived Keys] property

This boolean property specifies whether Implicit Derived Keys (ref to
WS-SecureConv Section 7.3) are allowed. If the value is 'true' then
Implicit Derived Keys MAY be used. If the value is 'false' then Implicit
Derived Keys MUST NOT be used.

5.	In Section 5.3 amend the various descriptions of
sp:RequireDerivedKeys to read as follows;


/sp:XXXToken/wsp:Policy/sp:RequireDerivedKeys
	This optional element sets the [Derived Keys], [Explicit Derived
Keys] and [Implicit Derived Keys] properties for this token to 'true'.

5.	In section 5.3 add the following to the various token assertions
that support derived keys;

/sp:XXXToken/wsp:Policy/sp:RequireExplicitDerivedKeys
	This optional element sets the [Derived Keys] and [Explicit
Derived Keys] properties for this token to 'true and the [Implicit
Derived Keys] property for this token to 'false'.

/sp:XXXToken/wsp:Policy/sp:RequireImplicitDerivedKeys
	This optional element sets the [Derived Keys] and [Implicit
Derived Keys] properties for this token to 'true and the [Explicit
Derived Keys] property for this token to 'false'.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]